Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Version 0.33 not iterating over all key algorithms #789

Closed
filip-lebiecki opened this issue May 25, 2022 · 5 comments
Closed

Version 0.33 not iterating over all key algorithms #789

filip-lebiecki opened this issue May 25, 2022 · 5 comments

Comments

@filip-lebiecki
Copy link

With SSHJ 0.33 if a specific key has more than 2 algorithms then library will take only first 2 (not iterating over all algorithms).
For example for RSA we have:
rsa-sha2-512
rsa-sha2-256
ssh-rsa

SSHJ will only take rsa-sha2-512, then it will try rsa-sha2-256 and then it will fail (without trying ssh-rsa).
This was bug is introduced in #763.
@fakemail324
Copy link

@dkocher and @ylangisc please take a look on this as it looks like related to #761 and #763
Looks like KeyedAuthMethod.shouldRetry() is called only once after checking rsa-sha2-512 in this case which causes to check rsa-sha2-256 next. But instead of keeping iterating over the list of all available algorithms it fails.

@ylangisc
Copy link
Contributor

I'm unable to reproduce the issue described with the following setup:

Output on the server side shows that all three available algorithms are tested:

root@464bbcb61ac0:/etc/ssh# /usr/sbin/sshd -D -e -o PermitRootLogin=yes
Server listening on 0.0.0.0 port 22.
Server listening on :: port 22.
Received disconnect from 172.17.0.1 port 60132:11: 
Disconnected from user root 172.17.0.1 port 60132
userauth_pubkey: signature algorithm rsa-sha2-512 not in PubkeyAcceptedAlgorithms [preauth]
userauth_pubkey: signature algorithm rsa-sha2-256 not in PubkeyAcceptedAlgorithms [preauth]
Accepted publickey for root from 172.17.0.1 port 60134 ssh2: RSA SHA256:h4vShve4t4eK53u4PK+lfMfsL6Y7xiiet6LWF5iZAN0

@filip-lebiecki
Copy link
Author

Turns out the server with PubKeyAcceptedAlgorithms=ssh-rsa had MaxAuthTries set to 2.
With that sshj is trying rsa-sha2-512, then rsa-sha2-256 and then is getting auth failure.
Increasing the MaxAuthTries to 3 on the server side fixed the issue.
Looks like previous version of sshj 0.32 was starting with ssh-rsa or knew which allegorist to use in the first attempt.
Thank you very much for your assistance.

@exceptionfactory exceptionfactory mentioned this issue Mar 31, 2023
Open
@sawanverma
Copy link

Turns out the server with PubKeyAcceptedAlgorithms=ssh-rsa had MaxAuthTries set to 2. With that sshj is trying rsa-sha2-512, then rsa-sha2-256 and then is getting auth failure. Increasing the MaxAuthTries to 3 on the server side fixed the issue. Looks like previous version of sshj 0.32 was starting with ssh-rsa or knew which allegorist to use in the first attempt. Thank you very much for your assistance.

I increased this to even 10 and even then its not working. Our production upgrade is failing due the same issue after we upgraded to 0.35.0. Please suggest

@hierynomus
Copy link
Owner

@sawanverma This issue is closed, can you post a bit more background/details what exactly is failing? The RSA2/RSA switcharoo and MaxAuthRetries should work correctly.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@hierynomus @ylangisc @sawanverma @fakemail324 @filip-lebiecki